1 / 13

Attribution Growing Challenges For LEAs

Attribution Growing Challenges For LEAs. Unit Chief Donald Codling (Retired) Federal Bureau of Investigation (FBI) Cyber Division 3 October 2013. What is Carrier Grade Network Address Translation?. Network Address Translation (NAT):

diamond
Download Presentation

Attribution Growing Challenges For LEAs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attribution Growing Challenges For LEAs Unit Chief Donald Codling (Retired) Federal Bureau of Investigation (FBI) Cyber Division 3 October 2013

  2. What is Carrier Grade Network Address Translation? • Network Address Translation (NAT): • Used in private networks (home, small business, to manage networks through private IPv4 addresses; • Carrier Grade NAT (CGN): • places a NAT between the access network and the Internet • allows a single public IPv4 address to be used to support multiple customers. • CGN is not new but much more pervasive: • Used for many years in developing nations and by mobile providers faced with explosive growth of customers without access blocks of IPv4 addresses • Impact: NO ATTRIBUTION

  3. IPv4 - IPv6 transition • Until recently all that was needed for subscriber information was an IP address - not now • IPv6 deployment is not fast enough • Many devices still not IPv6 capable, i.e., CPEs, routers, TVs, etc. • IPv4 addresses are almost gone • ARIN: no more IPv4 within a year • RIPE NCC and APNIC: no IPv4 • Transition period has begun: • Carrier Grade NAT • use one IPv4 for multitude of users • Differentiation is source port • divide 65535 source ports over ? subscribers Message body ... Destination IP Dest Port Source port Source IP

  4. IPv4-address attribution with CGN Internetservice provider Internetcontent provider Carrier Grade NAT IPv4 Private 10.0.12.218 IPv4 Public 81.247.28.219 1 Web Server 193.58.4.34 IPv4 Private 10.0.12.219 2 3 4 5 End userLAN routerModem End userLAN routerModem End userLAN routerModem End userLAN routerModem End userLAN routerModem IPv4 Private 10.0.12.220 IPv4 Private 10.0.13.221 Internet IPv4 Private 10.0.13.222 IPv4 Public 81.247.28.220

  5. Results of FBI CGN Survey • Received 142 responses • Almost 200 cases affected • Majority of service providers (mostly mobile) are unable to provide subscriber data to legal requests • Cases involve cyber intrusions, armed robbery, child abduction and exploitation , wire fraud, fugitives, etc. • Case impacts: • Subjects not apprehended – Deadly fugitives, pedophiles • Cases delayed – lengthy circumvention via other methods • Cases closed – never able to start case effectively • Reduction of charges

  6. Sample Response to CGN IP Address • IP address 000.000.116.166 is allocated to XYZ Co. and/or Service Provider Corporation in conjunction with XYZ Wireless. These blocks of IPs are used by XYZ Wireless for internet access and web-based applications for wireless devices (such as web-enabled cell phones and aircards). Requested wireless IP assignment records are not created or retained in the normal course of business and XYZ is unable to isolate or identify any individual account or device.

  7. CGN Working Group • Convened 7 times since June 2011 • Last meeting on March 27th at Cisco, San Jose, CA • Goal: CGN attribution solutions and IPv6 deployment • Participants: • US/Canadian Law Enforcement (FBI, Royal Canadian Mounted Police, Quebec Police, ICE, DEA, FTC, NCMEC, DOJ) • Government Agencies (Department of Commerce, Department of Defense, Industry Canada) • Providers (Sprint, AT&T, T-Mobile, Rogers, Videotron, Verizon, Cox, Time Warner Cable, Comcast. Qwest, Shaw, Frontier Communications) • Vendors (Juniper, Alcatel, Cisco, A10) • Content Providers (Amazon, Google, Microsoft) • Manufacturers (Apple, Linksys)

  8. CGN Attribution What needs to happen: • Law Enforcement: • Furnish/request more information to providers • Content providers (Google, Facebook, etc., need to log source port • Application providers (Microsoft IIS, Apache) enable default or easy-to-switch-on source port logging • IPv6 deployment What’s on the horizon? • ISPs (wire line only) state they have begun to develop solutions • Some content providers log source port • IETF RFCs for logging, i.e., Deterministic, RADIUS ?? • Greater IPv6 deployment • Legislation?

  9. CGN Legal Requests • New information law enforcement will need when serving providers with legal orders for single subscriber attribution: • Source/Destination IP address; • Source port number; • Exact time of the connection (within a second) • Radius Logs? • Netflow/IPFIX ?

  10. Content Providers • Enable source port logging (proxy, firewall, web) • IETF RFC 6302 • Modify transaction records to include source port • Include source port in response to historical records request. • Many big content providers log source port – Facebook is notable exception

  11. Application Provider Microsoft/Apache Microsoft Request • White Paper: Benefits to the users of source port, ease of installing source port logging • Code: Source port logging functionality within GUI • Microsoft Tech Link • Statistical Validation of Source Port Logging Implementation Apache Request • httpd.config file: LogFormat "%t %h %{remote}p %l %u \"%r\" %>s %b" common • Submitted 21 September 2013 on: https://issues.apache.org/bugzilla/show_bug.cgi?id=53919&list_id=89136

  12. Other Attribution Concerns • TOR • Proxy Servers • FREENET • Poor WHOIS data • Bullet Proof Hosting • Hidden Lynx –”Advanced Hacker guns for Hire” • Hosting in ‘unfriendly jurisdictions’

  13. Questions ? Email: drcodling@gmail.com Telephone: +1-703-232-9015

More Related